CVE-2023-5868

Postgresql: memory disclosure in aggregate function calls

Published: 12/10/2023 Last updated: 11/15/2024 Reserved: 10/31/2023

A memory disclosure vulnerability was found in PostgreSQL that allows remote users to access sensitive information by exploiting certain aggregate function calls with 'unknown'-type arguments. Handling 'unknown'-type values from string literals without type designation can disclose bytes, potentially revealing notable and confidential information. This issue exists due to excessive data output in aggregate function calls, enabling remote users to read some portion of system memory.

CNA assigner: redhat (53f830b8-0a3f-465b-8143-3b8a9948e749) Requested by: n/a

Metrics

Version	Score	Severity	Vector String
3.1	4.3	Medium	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Opam packages affected (5)

conf-mingw-w64-postgresql-i686 conf-mingw-w64-postgresql-x86_64 conf-postgresql ocsigen-start postgresql

Products affected (45)

Product	Vendor	Version
RHACS-4.1-RHEL-8	Red Hat	<= *
RHACS-3.74-RHEL-8	Red Hat	Versions 10.0.0 through 11.3 prior to 11.2.0.8 and 11.3.0.4
Red Hat Advanced Cluster Security 4.2	Red Hat	n/a
Red Hat Advanced Cluster Security 4.2	Red Hat	n/a
RHACS-3.74-RHEL-8	Red Hat	QCA6696
RHACS-4.1-RHEL-8	Red Hat	n/a
Red Hat Advanced Cluster Security 4.2	Red Hat	AR8031
RHACS-4.1-RHEL-8	Red Hat	n/a
RHACS-3.74-RHEL-8	Red Hat	n/a
Red Hat Advanced Cluster Security 4.2	Red Hat	< publication
RHACS-4.1-RHEL-8	Red Hat	< 2.1.15
RHACS-3.74-RHEL-8	Red Hat	<= 5.4.*
RHACS-4.1-RHEL-8	Red Hat	update 9 and earlier versions
RHACS-3.74-RHEL-8	Red Hat	QCA8085
Red Hat Advanced Cluster Security 4.2	Red Hat	CSRA6620
Red Hat Enterprise Linux 6	Red Hat	QCM2290
Red Hat Enterprise Linux 9.2 Extended Update Support	Red Hat	QCA6436
Red Hat Enterprise Linux 9.0 Extended Update Support	Red Hat	<= 1.0.3
Red Hat Enterprise Linux 7	Red Hat	QCN5021
Red Hat Enterprise Linux 9	Red Hat	QCA6310
Red Hat Enterprise Linux 8	Red Hat	10.1.1
Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions	Red Hat	< publication
Red Hat Enterprise Linux 8	Red Hat	IPQ4029
Red Hat Enterprise Linux 8.2 Advanced Update Support	Red Hat	BD_ZTE_MF971RV1.0.0B05, BD_PLKPLMF971R1V1.0.0B06, BD_MF971R2V1.0.0B03, BD_ZTE_MF971RS2V1.0.0B03, BD_ZTE_MF971RSV1.0.0B05
Red Hat Enterprise Linux 8.2 Telecommunications Update Service	Red Hat	8.5.1
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support	Red Hat	< 6.3.9600.21924
Red Hat Enterprise Linux 8.4 Telecommunications Update Service	Red Hat	9.0.1.8
Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions	Red Hat	IPQ8173
Red Hat Enterprise Linux 8.6 Extended Update Support	Red Hat	< 20.2R1
Red Hat Enterprise Linux 8.8 Extended Update Support	Red Hat	< 21.1R3-S2
Red Hat Enterprise Linux 8	Red Hat	CSRB31024
Red Hat Enterprise Linux 8.8 Extended Update Support	Red Hat	QCA1064
Red Hat Enterprise Linux 8.6 Extended Update Support	Red Hat	MDM9615
Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions	Red Hat	< de4c5bacca4f50233f1f791bec9eeb4dee1b14cd
Red Hat Enterprise Linux 8.4 Telecommunications Update Service	Red Hat	< publication
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support	Red Hat	9.0.1.1
Red Hat Enterprise Linux 8	Red Hat	Android 11.0, 12.0, 13.0
Red Hat Enterprise Linux 9.2 Extended Update Support	Red Hat	QCA6564A
Red Hat Enterprise Linux 9	Red Hat	<= 7.7.9
Red Hat Enterprise Linux 8.8 Extended Update Support	Red Hat	n/a
Red Hat Enterprise Linux 9	Red Hat	n/a
Red Hat Enterprise Linux 8	Red Hat	10.1.0
Red Hat Software Collections	Red Hat	QCN5154
Red Hat Software Collections for Red Hat Enterprise Linux 7	Red Hat	QCA6574A
Red Hat Software Collections for Red Hat Enterprise Linux 7	Red Hat	4.0.0

References (51)

Credits (1)

Upstream acknowledges Jingzhou Fu as the original reporter.